Now that multiple clouds are becoming a standard element of the enterprise there’s a more pressing need to manage who gets access when. That realization has lead to a wave of mergers and acquisitions in which once-standalone cloud access security broker (CASB) software is now being embedded within larger cybersecurity platforms. The latest example of this trend occurred this week with CyberArk, a provider of privileged access management software, moving to acquire Vaultive.
CyberArk CEO Udi Mokady said CyberArk doesn’t plan to offer a standalone CASB. Rather, the core technology developed by Vaultive will be infused into the CyberArk portfolio to provide organizations with more granular control over cloud services alongside their existing on-premises assets.
Mokady said that approach is intended to appeal to two distinct cybersecurity constituencies. In many organizations, access to applications and cloud services is still managed centrally within an IT organization. But there’s also a DevOps shift underway in which developers are taking more control over the management of applications end to end. The CyberArk strategy is to serve both the constituencies by making privileged access management tools accessible either via a graphical user interface or application programming interface.
The acquisition of Vaultive and its CASB technology follows moves by CyberArk to last year acquire Conjur, a provider of secrets management software aimed at developers, and prior to that the purchase of Viewfinity, which added an endpoint access management tool to the company’s portolio.
In general, CyberArk will continue to focus its efforts on privileged access management rather than the broader realm of cybersecurity, Mokady said. Privileged access management has become a more pressing issue in the age of the cloud because beyond the internal IT staff many more end users have privileged access to a wide variety of cloud applications. At the same time, developers are also being granted access to any number of cloud platforms on which to build applications, he noted.
Longer-term, CyberArk will be investing in various types of machine learning algorithms and artificial intelligence (AI) technologies to better secure IT environments, Mokady said. The company has already started down the path of including rules-based access controls into its software, he noted, and AI capabilities would make it easier for IT organizations to conduct “Red Team” cybersecurity drills, during which organizations attack themselves to discover where applications and systems are vulnerable. It’s only a matter of time now before cybercriminals start making use of AI to try and discover those vulnerabilities first, he said.
A recent study published by CyberArk finds that even after a cyberattack has been launched, nearly half of organizations are unable to alter their cybersecurity tactics either because of inertia or a vulnerability that can’t be fixed. The same survey also finds that only 8 percent of respondents said they’ve implemented Red Team techniques to more aggressively discover vulnerabilities.
Obviously, there will never been anything such as perfect security. But at a time when cybercriminals are targeting users who have access to privileged credentials like never before, it’s more than apparent IT organizations on the whole still making it too easy for them to succeed.